CVE-2025-64495
📋 TL;DR
Open WebUI versions 0.6.34 and below contain a DOM-based cross-site scripting (XSS) vulnerability in the custom prompt insertion feature. When 'Insert Prompt as Rich Text' is enabled, malicious users with prompt creation permissions can inject JavaScript payloads that execute when other users insert those prompts via the / command interface. This affects all self-hosted Open WebUI instances running vulnerable versions.
💻 Affected Systems
- Open WebUI
📦 What is this software?
Open Webui by Openwebui
⚠️ Risk & Real-World Impact
Worst Case
Malicious actor with prompt creation privileges plants persistent XSS payload that steals session cookies, credentials, or performs actions as authenticated users when they insert the malicious prompt, potentially leading to full account compromise.
Likely Case
Authenticated user with prompt creation rights exploits the vulnerability to steal session tokens or credentials from other users who insert their malicious prompts, enabling lateral movement within the application.
If Mitigated
With proper input validation and output encoding, the risk is limited to users who intentionally insert untrusted prompts, but the default configuration remains vulnerable.
🎯 Exploit Status
Exploitation requires authenticated user with prompt creation permissions. The vulnerability is straightforward to exploit once an attacker has the required access level.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.35
Vendor Advisory: https://github.com/open-webui/open-webui/security/advisories/GHSA-w7xj-8fx7-wfch
Restart Required: Yes
Instructions:
1. Backup your Open WebUI configuration and data. 2. Update Open WebUI to version 0.6.35 or later using your deployment method (Docker, manual install, etc.). 3. Restart the Open WebUI service. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Disable Rich Text Prompt Insertion
allDisable the 'Insert Prompt as Rich Text' feature globally to prevent exploitation of the vulnerable code path.
Modify Open WebUI configuration to disable rich text prompt insertion feature
Restrict Prompt Creation Permissions
allTighten access controls to limit which users can create custom prompts, reducing the attack surface.
Review and modify user role permissions in Open WebUI configuration
🧯 If You Can't Patch
- Disable the 'Insert Prompt as Rich Text' feature immediately in all configurations
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check if Open WebUI version is 0.6.34 or below and verify if 'Insert Prompt as Rich Text' feature is enabled in the configuration.Check Version:
Check the Open WebUI web interface settings or run: docker inspect open-webui | grep VERSIONVerify Fix Applied:
After updating to version 0.6.35 or later, verify that prompt insertion no longer uses .innerHTML without proper sanitization by checking the RichTextInput.svelte component.📡 Detection & Monitoring
Log Indicators:
- Unusual prompt creation activity
- Multiple failed prompt insertion attempts
- Suspicious JavaScript patterns in prompt content
Network Indicators:
- Unexpected external requests from the Open WebUI application
- Data exfiltration patterns
SIEM Query:
source="open-webui" AND (event="prompt_creation" OR event="prompt_insertion") AND content CONTAINS "<script>" OR content CONTAINS "javascript:"🔗 References
- https://github.com/open-webui/open-webui/blob/7a83e7dfa367d19f762ec17cac5e4a94ea2bd97d/src/lib/components/common/RichTextInput.svelte#L348
- https://github.com/open-webui/open-webui/commit/eb9c4c0e358c274aea35f21c2856c0a20051e5f1
- https://github.com/open-webui/open-webui/security/advisories/GHSA-w7xj-8fx7-wfch
